Tessera Access · certificate login

Offline certificate login with managed delegation

Personal, accountable login for engineers and contractors on any device running Astra Linux or other Linux — from ATMs and POS terminals to industrial controllers. All rights live inside the certificate; all validation happens on the device itself. No network is needed at login time at all.

Offline the device itself verifies the certificate, expiry, revocation and scopes — without a network
Identity every login is tied to a specific engineer — including contractor logins
In production already running in production across bank ATM fleets
Astra Linux SE: MIC, closed software environment GOST crypto · Rutoken / JaCarta Open-source agent core Windows — on the roadmap

01 · How it works

Delegation: every link can only narrow the rights

The fleet owner issues the service organization a certificate with hard scopes. The organization issues its engineer an even narrower shift certificate. Stepping outside the scopes is impossible.

Fleet owner

A bank, an industrial company, a critical-infrastructure operator. The root of trust — only the owner decides who may do what.

rights: entire fleet

Organization certificate

  • devices: region "North" only
  • roles: "maintenance" only
  • issued credentials: ≤ 30 days

rights narrowed to the contractor's scope

Service organization

The contractor. Issues credentials to its own engineers — but only inside the scopes it was given.

rights: region · 1 role

Engineer's shift certificate

  • device: ATM-0042 only
  • role: "maintenance"
  • valid for: 8 hours

rights narrowed to a single shift

Engineer

Arrives on site with a certificate on a USB stick or token. Needs no network.

rights: 1 device · 8 h

least privilege at login

Device

Any device running Linux / Astra Linux. Verifies signatures, scopes, expiry and revocation — without a single network call.

offline validation

The guarantee lives on the device itself. Even if a contractor's issuing CA is compromised, it cannot produce a working certificate outside its scopes: a southern ATM rejects a "northern" contractor's certificate on its own, offline, based on its own signed data.

02 · Certificate issuance

A shift certificate in a minute, from a web console

No manual cryptography: the contractor's dispatcher issues a certificate in a web console, and the system keeps it inside the scopes.

Fleet owner's console

Issues contractors organization certificates with scopes: device groups, roles, privilege and duration ceilings.

Service organization's console

The dispatcher issues shift certificates to their engineers per work order — the form cannot step outside the organization's scopes.

Straight onto the medium

Written to a USB stick or token (Rutoken / JaCarta) at the dispatcher's desk; short lifetime means a lost medium simply expires.

The engineer carries updates

Next to the certificate the console places a fresh revocation list, configuration and updates — the device applies them at login on its own, after verifying the signature.

Every issuance is journaled

Who issued what, to whom, for which device and with which rights — and who delivered which update. CLI and API planned for ticket-system integrations.

03 · Operations

Managed from one place, lives without it

Fleets of tens of thousands of devices: delivery via signed files over any channel, login never waits for the network.

Central management

Roles, policies, revocation (CRL) and inventory for the whole fleet — in one Tessera Control; administrator ≠ auditor. You can also start with no server at all: roles and keys go into the device image.

Tessera Control · standalone works too

Astra Linux as a native platform

Privilege level = mandatory integrity level: the session opens with the exact label, checked bitwise. Signed components, works with the closed software environment enabled, login through the native fly-dm screen.

SE, MIC, closed software environment

Audit on the device

Every login, logout and denial is an event in a hash-chained journal: tampering and deletion are visible. Uploaded to Control when connectivity exists; export via the engineer’s medium for air-gapped sites.

tamper-evident · works offline

Simple to install and keep current

Installation is a package plus configuration files; a built-in readiness self-check (doctor). The agent core is open source: your security team can see exactly what runs on the devices.

no DB · no daemons on the login path

Need token-free login via the engineer's phone? That's Tessera Codes — enabled on the same agent, nothing to reinstall. Learn more → Role accounts, groups and sudoers on these devices are provisioned declaratively by Census — an open-source product of the same platform. Learn more →

Next step — a pilot on your fleet

A few devices, your maintenance scenarios, your contractors — and a before/after audit comparison.